The cultural divide on data protection – USA vs EU

We are several months past the 10 year anniversary of the September 11 (9/11) attacks, but one of the significant consequences of that event a decade ago highlights the cultural divide between the USA and Europe on data protection.  Data privacy has been hitting the news recently because of Google’s changes in their terms and condition.  Frank Jennings of DMH Stallard, who chairs the Governace Board for the CIF Code of Practice on which I sit, has just published a good analysis of the proposed reforms to the EU’s data protection laws, and that triggered me to visit the topic here.  Data in terms of security, privacy and sovereignty is still the number 1 issue for companies who are first considering Cloud Computing.   As a buyer, you need to carry out your due diligence for any software, platform or infrastructure as a service – you should be checking how and where the provider will be storing your data, and how YOU will comply with legislation like the Data Protection Act.Here in the UK, if your systems handle personal information about individuals you have a number of legal obligations to protect that information under the Data Protection Act 1998.  That UK law was enacted to fall in line with the European Directive of 1995 which required EU Member States to protect people’s fundamental rights and freedoms.  If you read Frank’s analysis of the proposed reforms you’ll see that the act has resulted in 27 different interpretations and too much red tape, hence the need for reform.  The current act protects a persons right to privacy including how their personal data is processed.  With a Cloud service you have to ask the question – where is my data?   That becomes important when you check the Information Commissioner’s website which tells you:

“You may transfer personal data to countries within the European Economic Area on the same basis as you may transfer it within the UK.  However, you may only send it to a country or territory outside the European Economic Area if that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to processing personal data.”

So in the EU we’re all about regulation and compliance protecting the rights of the individual.  In the USA things are very different.  The attitude to data is more governed by market forces along with the heightened attention on security issues rising out of those attacks 10 years ago.  Just six weeks after the attacksThe Patriot Act” was enacted, or to give its full title “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001“.  It dramatically reduced restrictions on the various US law enforcement agencies in their ability to search telephone, e-mail communications, medical, financial, and other records including  foreign intelligence gathering within the United States.  It expands the Secretary of the Treasury’s authority to regulate financial transactions, particularly those involving foreign individuals and entities and broadened the discretion of law enforcement and immigration authorities. Search warrants can be executed without immediately informing their targets.  There has been plenty of debate on the topic, and some would say the law has done more damage than good to the reputation of the United States.  There is worry in terms of civil liberties and whether the Act is really good for peace and national security.  Sadly back last year some of the powers were extended to June 2015.  But what actually happens in practice?  A New York Magazine feature last year highlights that the act had been used 1,618 times investigating Drug offences, 122 times for fraud, but only 15 times for the terrorism that it was intended for.  The result is that any data stored in the US can be handed over to the US government without so much as a court order or even notice to the owner.  But what about US companies operating over here?

I know this is hot topic with John Patterson, CEO of Europe’s most successful Cloud based CRM provider Really Simple Systems.  He told me:

“There is already enough confusion over whether UK companies are complying with EC data laws by storing their data on servers in the USA, even with companies who say that they comply with “Safe Harbor”, an unregulated and fairly meaningless cop-out. But does the Patriot Act make Safe Harbor totally redundant? Nobody knows for sure, but it is safe to assume that US authorities won’t be shy in assuming that the Patriot Act overrules any EC law.”

The Safe Harbor John mentions is a framework under which US companies can self-certify that they comply with the obligations under EU data protection regulations. The framework allows for the sharing of data between the EU and self-certified US companies under certain restrictions, such as the promise of reasonable data security and informing the EU of the request for access to the data in question.

John’s fears have been corroborated by two major US corporations.  Back in June 2011 at the Office 365 launch, Gordon Frazer, managing director of Microsoft UK, gave the first admission that data stored in their Cloud, regardless of where it is in the world, is not protected from the Patriot Act.  In August of 2011 Google also confirmed to Germany’s  WirtschaftsWoche that their servers in Europe have no protection from it.  That means that some UK and European Cloud companies might spread some FUD (fear uncertainty and doubt) and get a short term advantage over their US competitors.  I’ve already heard of one UK government project being shelved 3 months in to development on a well know US PaaS once this issue came to light.

This highlights the need for Cloud providers to be transparent about the supply chain that underpins their service.  For my own part, we use Google Apps and we are happy to trust our documents and data to that provider and the potential risk of The Patriot Act, but not everyone will be that comfortable.  As a buyer you need to go in with your eyes open and check how and where your data is stored, consider the data protection implications and decide your own position on The Patriot Act.  This is a big topic that, up to now, hasn’t got the attention it deserves.

A version of this article was first published on Fresh Business Thinking and then on Business Cloud News.

Photo reproduced from Blame It On The Voices.



LinkedIn Twitter
Founder & CXO of Agile Elephant, a digital transformation consultancy and solutions provider. Head of D2C, a consulting firm which provides business and social media consulting and Cloud based solutions for content, collaboration, web publishing, online accounting and ERP. Was director EuroCloud UK, chaired techUK's Software as a Service Group, now Chair of Cloud Industry Forum.